Secure Socket Layer (SSL) and Trnasport Layer Security (TLS) - - PowerPoint PPT Presentation

฀฀฀฀ ฀

• ฀฀฀฀

฀฀฀฀฀ ฀฀฀฀฀฀

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

CSE598K/CSE545 - Advanced Network Security

• Prof. McDaniel - Spring 2008

1

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

SSL/TLS

• The Secure Socket Layer (SSL) and Transport Layer

Security (TLS) protocols implement security at the application layer

• Popular for securing the web, but not part of it
• Is a general purpose secure communication protocol suite
• Uses certificate authentication

2

HTTP FTP SMTP SSL/TLS TCP IP

Note: throughout we will focus on SSLv3. Assume SSLv3 unless stated otherwise.

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Model

• Often a one-way authentication mechanism, used to

prove the authenticity of a web-server to a client.

• Server-side certificates
• Root CA certifications distributed with browser
• Non-certified (or expired) certificates can be accepted
• Mutual authentication performed using client-side

certificates

• Less frequently uses (almost never in Web applications)
• Where used for enterprise internal or as layer for non-Web

based applications, much more frequently.

3

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

SSL as protocol suite

• Data Protocols
• Record Protocol
• Control Protocols
• Handshake Protocol
• Change Cipher Suite Protocol
• Alert Protocol

4

Alice Bob

Connection Connection Connection Connection Connection Connection

Session

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

SSL Session State

• Session ID
• Peer certificate (sometimes)
• Cipher Spec
• Compression algorithm
• Master Secret

5

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

SSL Connection State

• Server and client random
• Server MAC key
• Client MAC key
• Server write key
• Client write key
• Initialization vectors

6

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Handshake Protocol

• The purpose of the handshake protocols is to
• authenticate one or both parties
• negotiate shared master keys
• Protocol operates in 4 phases
• Phase 1: establish security context
• Phase 2: server publishes certificate and key seeds
• Phase 3: client completes key exchange
• Phase 4: complete handshake

7

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Phase 1

• Client sends and offer (CLIENT_HELLO) including
• SSL Version (highest supported)
• Random (RC) - { timestamp, plus 28 random bytes }
• Session ID - { 0 = new session, !0 = refresh }
• CipherSuite - algorithm selections for security/compression
• Server replies with (SERVER_HELLO) response
• Section of SSL version, crypto and compression algorithms
• A new session ID (as needed) (SID)
• A server random number (RS)

8

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Phase 2

• Server sends a (CERTIFICATE)
• This contains the public key certificate for the server Ks+
• Server sends a (SERVER_KEY_EXCHANGE)
• This contains the server parameters for the key exchange to

be performed (there are many variants)

• For example, the anonymous Diffie-Hellman sends the prime

number and primitive root (n,r)

• The key exchange parameters are signed using the private

key of the server with exchanged random numbers, e.g.,

• Server sends a completion (SERVER_DONE)

9

sig(K−

s , [n|g|X = gx mod n]) = Sig(K− s , Rc|Rs|n|g|X)

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Phase 3

• Client sends a (CERTIFICATE) - optional
• This contains the public key certificate for the clients Ks+
• Client sends a response (CLIENT_KEY_EXCHANGE)
• This contains the client’s key exchange parameters
• As before this is the public client Diffie-Hellman parameters
• Signed if client has signing capability
• The parties generate the pre_master_secret

10

X = gx mod n Y = gy mod n pms = Y x mod n = Xy mod n

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Phase 4

• Both sides complete the process by computing the 48

byte master secret:

• Then generate a “key block” of secret bytes

11

Msk = MD5(pms|SHA(′A′|pms|Rc|Rs))| MD5(pms|SHA(′BB′|pms|Rc|Rs))| MD5(pms|SHA(′CCC′|pms|Rc|Rs)) key block = MD5(Msk|SHA(′A′|Msk|Rc|Rs))| MD5(Msk|SHA(′BB′|Msk|Rc|Rs))| MD5(Msk|SHA(′CCC′|Msk|Rc|Rs))| MD5(Msk|SHA(′DDDD′|Msk|Rc|Rs))| . . .

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Transport Keys

• Just use the key_block as a PRF to generate enough

bytes to generate the keys for clients and servers.

• Note: this PRF is practically of unlimited length and in

practice (although generated differently) is used extensively on TLS.

12

Client Write Key Server Write Key Server MAC Key Client MAC Key ... key_block

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Record Protocol

• Provides to client (initiator)

and server (service)

• Confidentiality (via

encryption)

• Integrity (via MAC)
• Data is fragmented,

compressed, and security constructions applied.

13

Original Data

Fragmented Data Fragmented Data Fragmented Data

Compressed Data Compressed Data

M A C

Encrypted Data Encrypted Data

H D R

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

RFC 2104 (MAC for TLS)

Given: h() = hash function B = input/out byte-length of h K = a secret key padi = inner pad = 0x35 repeated B times pado = outer pad = 0x5C repeated B times text = text to MAC Compute the MAC:

MAC(K, text) = (H((K ⊕ pado)|H((K ⊕ padi)|text))

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Alert/CCS Protocol

• Change Cipher Suite Protocol
• Trigged at end of handshake, causes

security association to be enabled

• Alert Protocols - signals
• MAC failure
• No known certificate
• Handshake failure
• Bad certificate
• Close notification

15

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Why?

• ... does SSL work?
• ... does SSL not work?
• ... is SSL so popular?

16